Essential Cybersecurity Practices for Protecting Your Trade Business and Client Data From Hackers

Most self-employed tradespeople don't think of themselves as cybercrime targets. Hackers go after banks and corporations, not a one-man plumbing business in Coventry.

This assumption is wrong — and dangerously so.

Small businesses and sole traders are the fastest-growing target for cybercrime in the UK, precisely because they hold valuable data (client addresses, payment information, business bank account details) and have weak or non-existent defences. The National Cyber Security Centre (NCSC) reports that 39% of UK businesses identified a cyber attack in 2023, with small businesses disproportionately represented in the less-reported incidents.

For a tradesperson, a successful cyber attack can mean: bank account drained, client data exposed (with potential GDPR liability), invoices hijacked and payment redirected, or business reputation destroyed by emails sent from your compromised account.

None of this is inevitable. The defences required are not expensive or technically complex — they just need to be in place.

What Data Are You Actually Holding?

The first step is understanding the data your business holds, because this determines both your risk level and your GDPR obligations.

A typical self-employed tradesperson holds:

• Client names, addresses, and phone numbers — personal data under GDPR
• Client email addresses — personal data
• Client bank account details (for direct debit customers) — sensitive financial data
• Job history and notes — potentially sensitive (a client's disability requiring ground-floor only access, a client's home security arrangements noticed on site, notes about the property layout)
• Subcontractor details — personal data
• Your own business bank account and card details — financial data
• Login credentials for supplier accounts, HMRC online, software platforms — access credentials

This is more than most tradespeople realise. And under GDPR, you have legal obligations to protect personal data relating to identified individuals — including your clients.

Your GDPR Obligations as a Sole Trader

GDPR applies to you. There is no sole trader exemption. If you hold personal data about clients — which you do — you are a data controller, and you have obligations:

You must: Only collect data that's necessary for the purpose, not hold it longer than necessary, keep it secure, and have a lawful basis for processing it (which, for a tradesperson, is usually 'contract' — you need the client's address to do the job they've hired you for).

You should have: A simple privacy policy (even a brief one-page document) that explains what data you collect, how you use it, and how long you keep it. If you have a website, this should be published on it.

If you have a data breach: You are legally required to report significant breaches to the ICO (Information Commissioner's Office) within 72 hours. A breach means unauthorised access to personal data — including your phone being stolen with unsecured client records on it, or your email being hacked and client contact details being exposed.

The ICO fines for GDPR breaches can reach 4% of annual global turnover or £17.5 million — though in practice, fines for small businesses are much smaller and typically triggered by egregious failures rather than honest mistakes. The more practical risk is the reputational damage of having to tell clients their data was compromised.

Password Security: The Most Important Defence

The majority of cyber attacks on small businesses begin with compromised passwords. Not exotic hacking techniques — just gaining access to one account with a weak or reused password, then moving across the business's digital footprint from there.

The Three Password Disasters

Using the same password everywhere: If your Gmail password and your business bank password and your Checkatrade password are all 'Password1' or some variation, one breach (of any service) exposes all your accounts. Data breaches at third-party services are common. Your credentials from a breach at a site you barely use are tested against banks, email providers, and other services within hours by automated tools.

Using weak passwords: Anything under 12 characters, anything based on a name or word, anything with predictable substitutions (P@ssw0rd) — these are cracked by automated tools in seconds to minutes.

Not using two-factor authentication (2FA): Even a strong, unique password can be compromised. 2FA requires a second verification (usually a code sent to your phone or generated by an app) to log in, making stolen passwords useless to attackers who don't also have your phone.

The Fix: A Password Manager

A password manager solves all three problems simultaneously. It:

• Generates a unique, strong (20+ character) password for every account
• Stores all passwords securely, encrypted, so you only need to remember one master password
• Fills in passwords automatically so there's no convenience penalty for using long, unique passwords
• Works across all your devices

Recommended options:

• Bitwarden (free): Open source, fully featured, recommended by cybersecurity professionals. Covers personal and business use on the free tier.
• 1Password (£2.65/month): Excellent interface, slightly more user-friendly for non-technical users, business features on paid plans.

Setup time: 2 hours to migrate your important accounts to unique passwords. Time saved per login: 0 (it fills them in automatically). Total ongoing effort: near zero.

Enable 2FA on Critical Accounts

As a minimum, enable two-factor authentication on:

• Business email account (Gmail, Outlook)
• Business bank account (most banks now require this by default, but check)
• HMRC online / Government Gateway
• Any payment processing account (Stripe, SumUp, Square)
• Your job management / invoicing platform

Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA where possible — SMS codes can be intercepted, but authenticator app codes cannot be.

Email Security: Where Most Attacks Start

Email is the primary attack vector for small businesses. The two main threats are:

Phishing

Emails designed to look like they're from legitimate sources — HMRC, your bank, a supplier — that ask you to click a link and enter credentials or payment details.

HMRC is heavily spoofed because tradespeople regularly receive genuine HMRC communications and the fear response to a 'tax underpayment notice' is strong. HMRC will never email you asking for immediate payment by bank transfer or gift card. If you receive an email claiming to be from HMRC about an urgent tax issue, go directly to the HMRC website (type it manually, don't click the link) and log in from there.

How to spot phishing:

• The sender's email address doesn't match the claimed sender (hover over the name to see the actual address)
• The email creates urgency ('you must respond within 24 hours or face a penalty')
• There are spelling errors or odd phrasing
• The link URL (hover over it) doesn't match the expected domain

Business Email Compromise (BEC)

This is more sophisticated and is the attack that costs small trade businesses the most money. A hacker gains access to your email account (or to a client's email account) and either:

Hijacks invoice payments: Waits for you to send an invoice, then sends the client a follow-up email 'from you' explaining that your bank details have changed and providing new account details (actually the hacker's account). The client pays the hacker. This has cost UK businesses hundreds of millions of pounds.

Or impersonates you: Uses access to your email to send fraudulent invoices, gather information for further attacks, or send malicious content to your contacts.

The defence:

• Never change your bank details by email alone. If you need to update payment information with a regular client or supplier, call them directly to confirm the change — don't rely on email. Instruct your clients of this policy: 'If you ever receive an email from me saying my bank details have changed, call me to verify before paying.'
• Enable 2FA on your email account — this is the most direct protection against account takeover.
• Use Sleepless Tradesman or a dedicated invoicing platform for invoice delivery rather than email attachments where possible — invoices delivered via a platform with a secure payment link are much harder to redirect.

Device Security: Your Phone and Laptop

Phone Security

Your phone contains your email, your banking app, your job management platform, your clients' contact details, and potentially your two-factor authentication codes. It is the single most sensitive device in your business.

Minimum requirements:

• Strong PIN (not 0000 or your birth year) or biometric lock
• Auto-lock after 1 minute of inactivity
• Remote wipe capability enabled (Find My iPhone / Find My Device)
• Regular OS updates — many attacks exploit vulnerabilities in outdated software
• Avoid connecting to public Wi-Fi without a VPN, particularly for banking or accessing client systems

If your phone is stolen: Change all passwords immediately (via another device), revoke 2FA on accounts tied to that phone number, contact your bank, and report to Action Fraud (0300 123 2040).

Laptop and Desktop Security

• Full disk encryption: On Mac (FileVault) and Windows (BitLocker), enable disk encryption. If the device is stolen, encrypted data is unreadable without the password.
• Automatic updates: Enable automatic OS and software updates. The most common attack vector after phishing is unpatched vulnerabilities.
• Regular backups: Back up important business data (client records, job history, invoices) to an external drive AND a cloud service. Ransomware attacks encrypt your data and demand payment for the decryption key. With good backups, you restore from backup rather than paying the ransom.
• Anti-malware: Windows Defender (built into Windows, free) is sufficient for most small businesses if kept updated. On Mac, built-in protections are strong but consider Malwarebytes (free tier) for additional scanning.

Wi-Fi and Network Security

Van and Site Wi-Fi

Public Wi-Fi (on site, in coffee shops, at merchants) is potentially monitored. Avoid accessing banking, HMRC, or client records over unencrypted public Wi-Fi. A cheap VPN (£2–£4/month from Mullvad or ProtonVPN) encrypts your connection and eliminates this risk.

Home and Office Network

• Change your router's default admin password — most routers ship with 'admin/admin' which is publicly known
• Enable WPA3 encryption on your Wi-Fi (or WPA2 if your router doesn't support WPA3)
• Create a separate guest network for visitors and for smart devices (TVs, Amazon Echo, etc.) — these are more vulnerable and should be isolated from your main network where your business devices live

The Simple Security Audit: Do This This Week

1. Install Bitwarden and generate a new, unique password for your email, bank, and HMRC accounts. (1 hour)
2. Enable 2FA on your email, bank, and HMRC. (30 minutes)
3. Enable screen lock and remote wipe on your phone. (10 minutes)
4. Enable disk encryption on your laptop. (10 minutes to enable, runs in background)
5. Set up a cloud backup for business data. Google Drive or Dropbox (free tier) for documents; check your job management platform backs up automatically. (20 minutes)

Total time investment: approximately 2 hours. The protection this provides against the most common attack vectors is substantial.

FAQ

Do I need to register with the ICO as a sole trader?

Most data controllers need to register with the ICO and pay the data protection fee (£40/year for most small businesses). There are exemptions — if you only process data for staff administration, accounts, or marketing your own business, you may be exempt. Check the ICO's self-assessment tool at ico.org.uk. If in doubt, register — £40/year is cheap compliance insurance.

What happens if I get a GDPR complaint from a client?

First, don't panic. Handle it professionally and promptly. The ICO expects a response to data subject requests within 30 days. If a client asks what data you hold about them, tell them honestly. If they ask you to delete their data and you no longer have a legitimate reason to hold it, delete it and confirm that you've done so. The ICO is most interested in businesses that are deliberately uncooperative or negligent — genuine attempts at compliance are treated very differently.

I use WhatsApp to communicate with clients — is that a GDPR issue?

WhatsApp is technically a US-based service and there have been questions about its GDPR compliance. In practice, the ICO's focus for small businesses is on significant data breaches and egregious non-compliance, not on the messaging platform you use for booking appointments. Be sensible: don't share one client's details with another client via WhatsApp, keep your phone secure, and don't store sensitive financial information (credit card numbers, bank details) in WhatsApp chats.

How do I know if I've been hacked?

Warning signs include: unexpected password reset emails, logins to your accounts from unfamiliar locations (most email providers show recent login activity), clients reporting they've received strange emails from you, unexpected charges on your bank account, or your computer running slower than usual with disk activity you didn't initiate. If you suspect a compromise: change all passwords immediately (from a different device), enable 2FA everywhere, contact your bank, and report to Action Fraud. The NCSC has a free 'Check if your email has been breached' service at haveibeenpwned.com.